On Tuesday, Microsoft warned about a malicious campaign targeting SQL servers that uses a built-in PowerShell binary to persist on affected systems.
The intrusions, which make the most of brute-force attacks as an initial compromise vector, are exceptional for their use of “sqlps.exe.,” the tech giant said in a series of tweets.
The objective of the campaign and the threat actor behind is unknown. Microsoft uses the name “SuspSQLUsage” to track the malware.
The sqlps.exe utility, which, by default, is part of all versions of SQL Servers, allows SQL Agent to run jobs using the PowerShell subsystem.
“The attackers achieve fileless persistence by spawning the sqlps.exe utility, a PowerShell wrapper for running SQL-built cmdlets, to run recon commands and change the start mode of the SQL service to LocalSystem,” Microsoft noted.
Besides, the attacker is using the same module to create a new account with sysadmin role, which may allow attackers to seize control of the SQL Server.
In the past, many times attackers have weaponized legitimate binaries that are present in an environment; the method is called living-off-the-land (LotL).
The method has an advantage since it entails going without files, which don’t leave any artifacts, and the antivirus is also less likely to identify it because the software is a trusted one.
The idea is to allow the attacker to blend in with regular network activity and normal administrative tasks while remaining hidden for extended periods.
“The use of this uncommon living-off-the-land binary (LOLBin) highlights the importance of gaining full visibility into the runtime behaviour of scripts in order to expose malicious code,” Microsoft said.